Q. I'm receiving an error converting an Azure AD instance to federated related to the account being in the domain, what can I do?
A. I had an Azure AD instance that I wanted to switch over to federated authentication instead of standard however when trying to perform the conversion I received the error below:
PS C:\Users\john.SAVILLTECH> Convert-MsolDomainToFederated –DomainName 'savilltech.net' Convert-MsolDomainToFederated : You cannot convert the specified domain to use identity federation because the account you are currently signed in with is a member of the domain savilltech.net. Please sign in to the service using an account that is a member of the company administrators role and is not part of the domain savilltech.net, and then try again. At line:1 char:1 + Convert-MsolDomainToFederated –DomainName 'savilltech.net' + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [Convert-MsolDomainToFederated], FederationException + FullyQualifiedErrorId : CannotConvertDomainToFederatedAsADomainUser,Microsoft.Online.Identity.Federation.Powershell.ConvertDomainToFederated
The problem was that I was using an account that was a global admin role but was actually part of the Azure AD custom domain name, i.e. savilltech.net. The solution is to use an account that is part of the tenant but has the onmicrosoft.com extension, e.g. savilltech.onmicrosoft.com. This account also must be a global admin and then the conversion will work.